CIPP Cheat Sheet 2026

The 30 highest-yield CIPP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

90 questions
150 min time limit
68.00% to pass
  1. Under the Gramm-Leach-Bliley Act (GLBA), what must financial institutions provide to customers at the time of establishing a customer relationship? An initial privacy notice
  2. Which federal agency has primary enforcement authority over national banks under GLBA's privacy provisions? Office of the Comptroller of the Currency (OCC)
  3. The Fair and Accurate Credit Transactions Act (FACTA) most significantly amended FCRA by establishing: The right to one free credit report per year from each major consumer reporting agency
  4. What right allows California consumers to correct inaccurate personal information held by a business? Right to Correct (added by CPRA)
  5. Which type of entity is directly covered by HIPAA's Privacy Rule? Covered entities (health plans, providers, clearinghouses)
  6. Under US law, what is the primary federal statute governing spam texts sent to mobile phones? Telephone Consumer Protection Act (TCPA)
  7. Which privacy concern arises when employers use social media screening of job applicants? Exposure to legally protected characteristics not visible during the interview process
  8. Which HIPAA right allows a patient to request that a covered entity not disclose their PHI to their health plan for services paid out-of-pocket? Right to request restrictions on disclosures to health plans
  9. Which of the following constitutes a 'permissible purpose' for obtaining a consumer report under FCRA? A credit transaction initiated by the consumer
  10. Which type of information was added to many states' breach notification laws following high-profile biometric data breaches? Biometric data (fingerprints, facial recognition)
  11. Which of the following is NOT a permitted use or disclosure of PHI under the HIPAA Privacy Rule without patient authorization? Marketing campaigns selling health products
  12. Under GLBA, which entities qualify as 'financial institutions' subject to its privacy provisions? Businesses significantly engaged in financial activities
  13. The FCRA 'Furnisher Rule' primarily requires entities that report information to consumer reporting agencies to: Maintain reasonable policies to ensure accuracy and integrity of reported information
  14. Under FERPA, when does a student's (not parent's) right to control education records begin? When the student turns 18 or attends a postsecondary institution
  15. Which GLBA exception permits financial institutions to share NPI with unaffiliated third parties without offering consumers an opt-out right? Joint marketing agreement exception
  16. Under the 2023 FTC Safeguards Rule amendment, non-banking financial institutions must notify the FTC of breaches affecting how many customers? 500 or more customers
  17. What is the primary purpose of a 'risk of harm' threshold in breach notification laws? To require notification only when there is meaningful risk of harm to individuals
  18. What is the HIPAA Privacy Rule's general rule on the use of PHI for marketing? PHI cannot be used for marketing without written patient authorization
  19. Which type of employee data is most commonly regulated by state biometric privacy laws like Illinois BIPA? Fingerprint scans used for timekeeping or access control
  20. Which US law regulates the privacy of electronic communications made by pen register or trap-and-trace devices? Pen Register Act (Title III of ECPA)
  21. The GLBA opt-out right allows consumers to prevent a financial institution from sharing their NPI with which type of party? Unaffiliated third parties not covered by a statutory exception
  22. Under FTC authority, breach notification for certain health apps is governed by what rule? Health Breach Notification Rule
  23. Which entity established by the CPRA is responsible for enforcing California privacy law and issuing regulations? California Privacy Protection Agency (CPPA)
  24. Which of the following is excluded from the definition of 'nonpublic personal information' (NPI) under GLBA? Publicly available information from government records
  25. Which of the following is NOT a permissible purpose for obtaining a consumer report under FCRA? Satisfying personal curiosity about a neighbor
  26. FACTA's 'Red Flags Rule' requires covered entities to: Develop and implement written programs to detect and respond to identity theft red flags
  27. When a consumer reports identity theft under FACTA, what right does the consumer have regarding their credit report? Place a fraud alert and block fraudulent information resulting from the identity theft
  28. Self-regulation principally entails a company's right to what, according to Section 5 of the FTC Act? Determine which bodies will be involved in adjudication
  29. Under the ADA, what type of employee medical information must employers keep in confidential files separate from general personnel files? All medical information obtained through employment-related examinations or inquiries
  30. What CPRA requirement applies to businesses that engage in 'profiling' consumers in ways that significantly affect them? Right to opt out of automated decision-making and profiling
Turn these facts into recall: